Firewall Wizards mailing list archives

RE: PIX -> ISA -> OWA Configuration

From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Sun, 15 May 2005 23:10:08 -0700

I've found personally that a correctly implemented VPN solution is

times better than trying to get OWA deployed and *safe*.


There is real foolishness in the VPN suggestion - offering all of layers
2 and 3 to remote clients for the sake of a single application. This is
weak science, and "architecture by anecdote".

Taken as a proposed method for limiting attack surface, I think that it
needs serious re-examination!

Give me a threat model for full network client access, vs. that of an
application inspection firewall, proxying SSL - such as ISA 2004.  Good!
Notice anything? Now supply me with motivated attackers.  OWA/ISA is the
safest bet for remote access of Exchange systems, and this can be
quantified using models, not by asserting a bias, or making category
generalizations.

The only people who should ever get full VPN access are systems and
network administrators, with a demonstrated need.  They should be
subject to extensive logging, and a separate audit. There are
application-oriented solutions that meet the needs of other users,
without a "default allow" policy.  I often despair, that we will spend
the next 20 years rolling-back the broad remote access that was granted
over the last 10.

Jeremiah Cornelius
CISSP, ISSAP, CCNA, MCSE+S

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com

[mailto:firewall-wizards-

admin () honor icsalabs com] On Behalf Of Thomas W Shinder
Sent: Friday, May 13, 2005 11:16 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] PIX -> ISA -> OWA Configuration

Since the ISA firewall was designed to protect OWA, what would be the
rationale for not using an ISA firewall?


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Chris
Blask
Sent: Monday, May 09, 2005 8:44 PM
To: vbwilliams () neb rr com; Paul Melson
Cc: woodsd001 () hawaii rr com; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration

Hi folks!

At 10:47 AM 5/7/2005, Victor Williams wrote:

Personally, I didn't see any reason to state the obvious when it was

there

for everyone to see.

There is no *safe* or *best* way to deploy that architecture as far

as

I'm

concerned.  The sooner everyone just accepts that, the better off

everyone

will be.


Everyone that counts (the folks who pay for all this stuff) don't give


mongoose's hooter what architecture is used, they just want their apps
to
work where they need them.  On this one I agree with them
whole-heartedly:
I'd like to be able to read my email displayed on the fannies of
migratory
waterfowl.  I'll settle for bioptic HUD glasses that can overlay the
text
as opposed to actually laser-printing on loons, but it better be no

less


secure than a workstation in a cube however it gets done.

I've found personally that a correctly implemented VPN solution is

times better than trying to get OWA deployed and *safe*.


The only problem with VPNs are kiosks and other Not-My-Computer
situations.  Webmail will be implemented (even, I shudder to say, OWA)
because we haven't yet made VPNs fully portable.

If you have to use OWA, I'd use one of the mail firewalls out there
(BorderWare or IronMail, for example) in front of it.  Something like
that
gives you a break in the chain between your MaxiSoft servers and the
World,
and a dev team to maintain it and pester when you feel antsy.

-cheers!

-chris


Chris Blask
chris () blask org
blaskworks.blogspot.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: PIX -> ISA -> OWA Configuration, (continued)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- PIX -> ISA -> OWA Configuration woodsd001 (May 05)
  - RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
    - Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)
    - RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 08)
    - Re: PIX -> ISA -> OWA Configuration Victor Williams (May 08)
    - Re: PIX -> ISA -> OWA Configuration Chris Blask (May 12)
- RE: PIX -> ISA -> OWA Configuration Behm, Jeffrey L. (May 08)
- RE: PIX -> ISA -> OWA Configuration Thomas W Shinder (May 15)
  - Message not available
    - RE: PIX -> ISA -> OWA Configuration Chris Blask (May 17)
- RE: PIX -> ISA -> OWA Configuration Jeremiah Cornelius (May 17)
  - Re: PIX -> ISA -> OWA Configuration Victor Williams (May 18)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 17)